Digital payment firms pad up against hacker attacks

A spurt in digital transactions and payments has prompted many such companies to conduct special audits of their security as recommended by the Reserve Bank of India and add extra layers of security on their platforms.Pratik Bhakta&Mugdha Variyar | ET Bureau | December 19, 2016, 09:34 IST

A spurt in digital transactions and payments in the wake of demonetisation may have spelt a bonanza to digital wallets and mobile payment companies, but it has also increased threats from hackers.

This has prompted many such companies to conduct special audits of their security as recommended by the Reserve Bank of India and add extra layers of security on their platforms.

RBI recently put out a notification urging all prepaid payments instrument players or PPIs to carry out a special audit of their security systems on a priority basis through security auditors empanelled by Indian Computer Emergency Response Team (CERT-In) and take steps to comply with the findings of the audit report.

The government also called for an audit of the financial sector, starting with the National Payment Corporation of India, as well as the review of the IT Act in the light of threats of cyberattacks and hacking by groups such as Legion, which recently claimed to have hacked into several high-profile Twitter accounts.

“The scope of the system audit includes evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing the systems and applications, documentation,“ RBI said in the notice to all prepaid payments companies, including mobile wallet companies.

“We have initiated a thorough audit of our systems as per RBI directive to ensure that the system is fully secure and no vulnerability exists,“ said Jitendra Gupta, founder of Citrus Pay. “We will undertake a check into our prepaid systems, access, user authentication, virus scan, external access and server security.“

Rohan Khara, director of products at MobiKwik, said the company has started the process with an RBI-approved company to conduct an audit. “We are about to close the audit process very soon,“ he said. RBI has asked payment companies to share the names of auditors by December 21.

“Our platform complies with PCI DSS and other standards and we have initiated the process to conduct the audit as per guidance received from RBI,“ said Transerv CEO Anish Williams. “Additionally, we continue to closely monitor customer interactions and strengthen our risk management framework on an ongoing basis.“

“While our existing measures provide a watertight security to our systems, we are still on the lookout for unknown threats to address, for which we also invite white-hat hackers to find potential threats in our systems,“ a Paytm spokesperson said.